Chinese state-sponsored hacking group Volt Typhoon is reportedly rebuilding its notorious “KV-Botnet” malware network, following a disruption by US law enforcement earlier this year. Security researchers from SecurityScorecard have observed the threat actor rebuilding the botnet, once again focusing on US infrastructure and targets across the globe.
Volt Typhoon, believed to have been active for at least five years, has infiltrated multiple critical infrastructure sectors, primarily using compromised small office/home office (SOHO) networking devices, such as Netgear ProSAFE firewalls, Cisco RV320 routers, DrayTek Vigor routers, and Axis IP cameras. The group’s tactics involve hacking outdated SOHO routers to install custom malware, which creates covert communication channels and maintains persistent access to target networks.
In January, US authorities disrupted the KV-botnet that had leveraged hundreds of US-based SOHO routers, many of which were outdated and unsupported by their manufacturers. An attempted revival of the KV-botnet in February fell short, but SecurityScorecard noted renewed activity in August, when Volt Typhoon began exploiting a zero-day vulnerability.
The latest report reveals that the KV-botnet, also called the “JDYFJ Botnet” due to a distinctive self-signed SSL certificate used in compromised devices, is back in action.
Volt Typhoon has compromised a significant number of routers over the past month, primarily outdated Cisco and Netgear models that are no longer receiving security updates. The devices are hijacked through MIPS-based malware and webshells, using non-standard ports to complicate detection.
Volt Typhoon’s use of MIPS-based malware, similar to the infamous Mirai malware, allows the group to establish covert connections through techniques such as port forwarding over port 8443. By operating on non-standard ports and leveraging unmonitored SOHO routers, Volt Typhoon maintains a low profile, complicating detection efforts.
The group deploys webshells, such as “fy.sh,” embedded within the routers. This provides Volt Typhoon with a persistent access point, ensuring the group’s continued presence in compromised networks while maintaining remote control.
“Though Volt Typhoon doesn’t directly deploy ransomware, it operates within an ecosystem transformed by Ransomware-as-a-Service (RaaS). Under this model, cybercriminals reinvest ransom payments into more sophisticated tools, making their efforts even more dangerous. Reliance on third-party vendors and cloud providers heightens this risk, as ransom-funded advancements in hacking fuels new waves of attacks,” the researchers noted.
In August, researchers from Lumen Technologies discovered a cyber campaign exploiting a zero-day vulnerability (CVE-2024-39717) in Versa Director servers. The campaign, attributed with moderate confidence to Volt Typhoon and another China-linked threat actor known as Bronze Silhouette, involved a custom web shell dubbed ‘VersaMem.’
The web shell’s primary purpose is to intercept and harvest credentials which would enable access into downstream customers’ networks as an authenticated user. Modular in nature, VersaMem also enables the threat actors to load additional Java code to run exclusively in-memory. The same webshell was reportedly observed in an attack targeting Singapore’s largest mobile operator Singapore Telecommunications (Singtel) in June 2024.